As HIPAA is more rigorously enforced, fines and violations are likely to come at a much more regular pace than they have in the past.

Simply put, redaction technology automates the removal of protected health information (PHI) from a health record or other patient documentation. It eliminates the need for manual, black marker redaction that's been the norm.

Perhaps most important, though, is that redaction software allows health systems and their business associates to remove personal information in a timely manner and keep patient's personal information personal.

Protecting Against Unintended ROI

Redaction is necessary when confidential information concerning an individual's past, present or future mental or physical condition is contained within a patient record that will be released to a third party. Protected health information must be removed from all records, regardless of the type-including fax, voice mail, email or data within the EHR, for example.

The final HIPAA omnibus rule greatly increases patients' privacy protections and strengthens the government's ability to enforce the law. When releasing medical records to a third party, healthcare administrators must be more vigilant to ensure that an individual's confidential information is protected. The processes for handling the release of protected information must meet the requirements of HIPAA and what's in the interest of their patients.

Until now, HIPAA enforcement has been mostly lax because federal funds have been limited. However, in 2011 the U.S. Department of Health and Human Services (HHS) awarded a $9.2 million contract to KPMG, an audit and advisory firm, to launch the audit program as mandated by the HITECH Act.

The HITECH Act also incentivizes more aggressive pursuit of HIPAA violations, which means it's more likely that healthcare organizations will now be audited if any red flags pop up.

Given this, organizations may do well to add tools and capabilities to protect themselves from HIPAA fines and punishment. With the rise in HIPAA enforcement, healthcare leaders should consider increasing their IT spend to implement systems that better protect patient's health information, according to research firm Gartner.

The HITECH Act also extends certain HIPAA security and privacy requirements and sets the stage for greater enforcement, including:

Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs

Greater penalties for noncompliance

Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities

The HIPAA Privacy Rule originally created standards to protect patients' medical records and other personal information . The rule applies to health plans, healthcare clearinghouses and providers that conduct certain healthcare transactions electronically. The rule also requires safeguards to protect the privacy of patients' personal health information and limits release of information without patient authorization. Specifically, the HIPAA Privacy Rule was designed to protect individually identifiable health information from being distributed publicly and in a harmful manner.

The Privacy Rule allows for two redaction methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifying information, as well as the absence of actual information that could be used to identify an individual.

According to HHS, "both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds."

Also, because of the HIPAA Safe Harbor standards , 18 identifiers associated with the patient, their household members, relatives and employers must be removed, including:

Names

All geographic subdivisions smaller than a state, including street address, city, county, precinct and ZIP codes

Additional information that should be redacted from the health record includes:

Adoption information of birth parents

Child/spouse abuse

Protection of minor's information

Behavioral health

Chemical/alcohol dependency

Reproductive health

HIV/AIDs status

Genetic information

Other information as required by state laws

Even though solutions exist to automate the redaction of protected PHI, most organizations redact records manually even though health systems are streamlining repetitive, manual processes in other areas of their practices.

Effectively Managing RIO through Redaction

Healthcare organizations are scrambling to find new ways to ensure patient health records remain secure, Gartner says. Additionally, consequences for HIPAA infractions are translating into huge shifts in IT spending for technologies to mitigate risks of breach. Typically, however, organizations have, or should have, policies in place to determine when redaction is required. Healthcare facilities, health plans and business associates must routinely redact PHI and they need to know how redaction should be performed.

Just as the argument can be made for the implementation of EHRs and how they can lead to leaner and more efficient processes, the same can be said for redaction software.

Using redaction in existing workflows, like when partnered with the functionality of an EHR, creates a more HIPAA-compliant environment where information is better protected from leaks. Liability also is likely mitigated. And, with greater federal oversight and enforcement of HIPAA, those looking to stay ahead of an evolving HIPAA Privacy Rule may find value in an automated process to redact personal health information.

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First *

Last

Name:

Title

Field

Facility

Work:

City

State

Location:

Comments: *

To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Receive emails when a new comment is postedRemember me on this computer

Processing...

Fields marked with an * are required.

Search Articles

Free e-Newsletter

Sign up to receive our FREE weekly e-Newsletter. From important healthcare news to career advice, you'll receive the latest in professional information tailored to your specialty. Click here to view a sample of what you'll see in your inbox each week!